On Tue, 2007-10-02 at 11:32 -0700, Andrew Bartlett wrote:
> (please forgive the cross-posting to subscriber-only lists)
>
> Howard Chu helpfully wrote up this summary of the meeting we held at the
> CIFS Workshop on how Samba4 should work with an LDAP backend.
>
> The background is that Samba4 increasingly needs some things that an
> LDAP server could provide for us. In the short term, we need to add
> subtree renames to ldb_tdb, but OpenLDAP's hdb already provides this for
> us.
Just as an update, I've implemented this, and linked attributes (another
thing we discussed at the CIFS workshop) in Samba4, for ldb_tdb. This
does however bring up the issue of linked attributes in LDAP backends.
Linked attributes include member/memberOf, master/masteredBy and many
others. They are defined in the AD schema, and as far as I know, are
strictly updated as a pair (they are not flattened memberOf listings,
for example).
Linked attributes and subtree renames are closely linked - if you don't
support subtree renames, then handling linked attributes on the Samba
side is easy - the LDAP server remains 'dumb' about it. As I understand
it (corrections welcome), Fedora DS is not likely to handle subtree
renames soon, so this approach will work for Samba4 on Fedora DS.
However, for Samba4 on OpenLDAP, we will want to have the LDAP backend
handle subtree renames. Has there been any work to handle memberOf in
OpenLDAP? How does this interact with subtree renames?
Any other thoughts?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.

Attachment:
signature.ascDescription: This is a digitally signed message part